Best Practices: 6 Steps to Developing a Risk-Based Security Strategy

Randy George11/30/12

Best Practices: 6 Steps to Developing a Risk-Based Security Strategy

Achieving total security in an organization is impossible. Once you have accepted this simple (but often hard-to-swallow) fact, you can move forward with a risk-based security strategy, in which priorities are established and decisions are made through a process of evaluating the sensitivity of data, the vulnerability of systems and applications, and the likelihood of threats. By making risk-based decisions, security organizations can develop more practical and ­realistic security goals, and spend their resources in a more effective way.

Addressing real risk is not a new concept: Most capable IT departments already factor risk and prioritization into the way they deploy services and security policy. But few formalize risk assessment and asset prioritization into each and every purchasing and policy decision they make.

In this report, we offer some recommendations on how to develop a risk-based security strategy and implement it across the enterprise. (S6251212)